How to configure AWS CLI on Linux and macOS
Configuring AWS CLI on Linux or macOS stores the credentials and defaults needed to run AWS commands without repeating the same account and region details on every invocation. A working local profile is the starting point for routine tasks such as listing S3 buckets, inspecting identities with STS, or running automation from a shell session.
The aws configure wizard writes the access key pair to ~/.aws/credentials and stores settings such as the default region and output format in ~/.aws/config. When no profile name is supplied, the wizard updates the default profile, which is the profile the CLI uses automatically unless a command or environment variable selects another one.
Current AWS guidance favors short-lived credentials where possible. The steps below focus on the classic access key workflow for aws configure; if the account uses console-based temporary credentials or IAM Identity Center, use aws login or aws configure sso instead of storing long-term keys locally.
Steps to configure AWS CLI on Linux and macOS:
- Open a terminal application.
- Confirm that AWS CLI is installed and available in the current shell.
$ aws --version aws-cli/2.34.18 Python/3.13.12 Darwin/25.3.0 source/arm64
Install the CLI first if the command is missing.
- Gather the AWS Access Key ID, AWS Secret Access Key, preferred region, and preferred output format for the account that will run CLI commands.
Do not configure routine CLI access with root account keys. Use a least-privilege IAM user or another approved credential source instead.
- Start the interactive configuration wizard for the default profile.
$ aws configure Tip: You can deliver temporary credentials to the AWS CLI using your AWS Console session by running the command 'aws login'. AWS Access Key ID [None]: AWS Secret Access Key [None]: Default region name [None]: Default output format [None]:
Use aws configure --profile profile-name when a separate named profile is needed instead of overwriting default.
- Enter the AWS Access Key ID when prompted.
AWS Access Key ID [None]: AKIAEXAMPLECORE00001
- Enter the AWS Secret Access Key when prompted.
AWS Secret Access Key [None]: coreSecretExample0000000000000000000000001
- Enter the default region for the commands that will use this profile.
Default region name [None]: us-west-2
Press Enter to leave the region unset when commands will always pass --region explicitly or use environment variables.
- Enter the preferred default output format, or press Enter to leave it unset.
Default output format [None]: json
Common formats are json, yaml, text, and table.
- Review the generated credentials file to confirm that the access key pair was written for the default profile.
$ cat ~/.aws/credentials [default] aws_access_key_id = AKIAEXAMPLECORE00001 aws_secret_access_key = coreSecretExample0000000000000000000000001
- Review the generated config file to confirm that the region and output defaults were stored separately from the secret material.
$ cat ~/.aws/config [default] region = us-west-2 output = json
Named profiles appear as [profile profile-name] in ~/.aws/config even though the credentials file still uses the bare profile name.
- Show the resolved configuration to verify that the CLI is reading the masked keys from ~/.aws/credentials and the region from ~/.aws/config.
$ aws configure list NAME : VALUE : TYPE : LOCATION profile : <not set> : None : None access_key : ****************MPLE : shared-credentials-file : secret_key : ****************EKEY : shared-credentials-file : region : us-west-2 : config-file : ~/.aws/config
This command is the quickest way to confirm which profile, file, environment variable, or login cache the CLI is actually using.
- Verify that the configured identity can make signed requests to AWS.
$ aws sts get-caller-identity { "UserId": "AIDASAMPLEUSERID", "Account": "123456789012", "Arn": "arn:aws:iam::123456789012:user/PlatformOperator" }A successful response confirms that the key pair works and shows the active account and user or role ARN.